-Privilege separation, or privsep, is an experimental feature in
-OpenSSH in which operations that require root privilege are performed
-by a separate privileged monitor process. Its purpose is to prevent
-privilege escalation by containing corruption to an unprivileged
-process. More information is available at:
+Privilege separation, or privsep, is method in OpenSSH by which
+operations that require root privilege are performed by a separate
+privileged monitor process. Its purpose is to prevent privilege
+escalation by containing corruption to an unprivileged process.
+More information is available at:
http://www.citi.umich.edu/u/provos/ssh/privsep.html
-Privilege separation is not enabled by default, and may be enabled by
-specifying "UsePrivilegeSeparation yes" in sshd_config; see the
-UsePrivilegeSeparation option in sshd(8).
+Privilege separation is now enabled by default; see the
+UsePrivilegeSeparation option in sshd_config(5).
+
+On systems which lack mmap or anonymous (MAP_ANON) memory mapping,
+compression must be disabled in order for privilege separation to
+function.
When privsep is enabled, the pre-authentication sshd process will
chroot(2) to "/var/empty" and change its privileges to the "sshd" user
Privsep requires operating system support for file descriptor passing
and mmap(MAP_ANON).
-PAM-enabled OpenSSH is known to function with privsep on Linux and
-Solaris 8. It does not function on HP-UX with a trusted system
+PAM-enabled OpenSSH is known to function with privsep on Linux.
+It does not function on HP-UX with a trusted system
configuration. PAMAuthenticationViaKbdInt does not function with
privsep.
andersk / gssapi-openssh.git / blobdiff